An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee

Monthly Archives: January 2012

Congressman Markey (D-Mass.), co-chair of the Bi-Partisan Congressional Privacy Caucus, released a discussion draft of a bill today aimed at addressing the privacy concerns brought to light recently regarding the use of monitoring software on mobile phones. The proposed bill, named the Mobile Device Privacy Act, would require several companies involved with mobile phones to disclose the use of phone monitoring software and obtain the user’s express consent to transmission of data from the phone.

The bill would require disclosures regarding use of phone monitoring software prior to the sale of a phone by the company selling the phone, and after the sale by the wireless carrier, manufacturer, and/or providers of mobile phone apps if monitoring software is later installed on the phone. The required disclosures would identify the following: the types of information the monitoring software is capable of collecting and transmitting, any person to whom the data will be transmitted, how the data will be used, and whether such data will be shared. The bill would also require the Federal Trade Commission to promulgate regulations imposing reasonable information security obligations upon recipients of data from monitoring software.

Violations of the proposed bill could be enforced by the Federal Trade Commission (as an unfair or deceptive act or practice), the Federal Communications Commission (as a violation of the Communications Act of 1934) and state attorneys general. There is also a private right of action with the ability to seek the greater of $1,000 per violation or actual damages, with treble damages for willful violations.

Markey’s bill comes in the wake of the recent controversy over the use by several wireless carriers and phone manufactures of Carrier IQ monitoring software. The Carrier IQ controversy came to light last fall by a researcher who discovered and reported that Carrier IQ software secretly collects vast amounts of data regarding use of a mobile phone. The controversy resulted in Markey requesting investigation by the FTC, Senator Franken (D-Minn.) requesting information from Carrier IQ, and numerous putative class action law suits. In a statement released in response to Senator Franken’s request, Carrier IQ claims that its software is only used by wireless carriers to diagnose network problems and provide customer care.

In a 9-0 opinion released on Monday, the Supreme Court found that the installation of a Global-Positioning-System (GPS) device on a suspected drug dealer’s car without a current search warrant violated the Fourth Amendment’s prohibition on unreasonable searches. All nine justices agreed on the fundamental Fourth Amendment proposition but differed in their reasoning, leaving uncertain the scope of digital privacy.

The high court heard the case after the D.C. Circuit overturned the conviction of Antoine Jones, a nightclub owner convicted for conspiracy to distribute cocaine. His conviction was primarily based on the 2000 pages of data transmitted from the GPS device agents had secretly planted on Jones’s car for 28 days.

The majority opinion, written by Justice Scalia and joined by Chief Justice Roberts and Justices Kennedy, Thomas, and Sotomayor, emphasized the fact that the Government had physically occupied private property for the purpose of obtaining information. Applying traditional notions of trespass to the Fourth Amendment analysis, the high court stated, "[w]e have no doubt that such a physical intrusion would have been considered a `search’ within the meaning of the Fourth Amendment when it was adopted." While the majority made clear that the trespass test was not the exclusive test, it declined to address to what degree the reasonable expectation of privacy test applied in digital privacy cases not involving a trespass.

A concurrence authored by Justice Alito and joined by Justices Ginsburg, Breyer, and Kagan, criticized the majority’s reliance on the trespass-based rule or what Justice Alito described as “18th century tort law.” Justice Alito would have analyzed the question presented by asking whether Jones’s reasonable expectations of privacy were violated by long-term GPS monitoring. He noted the panoply of new devices operating GPS technology, such as smart phones and other location-based services offered as social tools. In an environment of dramatic technological change, Justice Alito acknowledged that the best solution to privacy concerns may be legislative. In the absence of such guidance, Justice Alito’s concurrence suggests the exclusive application of the reasonable expectation test to all digital privacy cases.

An additional concurring opinion by Justice Sotomayor feared the majority decision would provide little guidance in cases of electronic or other novel modes of surveillance that do not depend on a physical invasion of property. Her concern touched less on the mode of surveillance than on the content of sensitive data collected. Accordingly, Sotomayor suggested a paradigm shift in the way that privacy issues are considered. In her view, the premise that the individual has no reasonable expectation of privacy in information voluntarily disclosed to third parties is ill-suited to the digital age and should be reformed.

At a minimum, this case demonstrates the Supreme Court’s recognition of the need to preserve privacy in an increasingly digital age. Given the majority’s limited holding, however, many questions about digital privacy remain unanswered.

On January 6, 2012, a Massachusetts District Court, in Tyler v. Michael Stores, Inc., held that zip code information is personal identifiable information (“PII”) under a state consumer protection statute. In Tyler, the plaintiff provided her zip code to a cashier at Michaels’ arts and crafts store while making a purchase with her credit card. According to the plaintiff, Michaels then combined her zip code with other information to obtain her home mailing address, and began sending unwanted marketing materials. The plaintiff argued that the collection and recording of zip codes during a credit card transaction violates Mass. Gen. Laws ch. 93 § 105, under which a business cannot “write, cause to be written or require that a credit card holder write [PII], not required by the credit card issuer, on the credit card transaction form.”

In its order, the Court dismissed the case because the plaintiff was unable to show cognizable injury. Nevertheless, the Court held that zip codes are PII because such information is consistent with language in a Massachusetts criminal identity theft statute that defines PII as any “number” used “alone or in conjunction with any other information” to assume the identify of an individual. Moreover, despite Michaels’ argument that the state statute applies only to credit card information recorded on paper, the Court stated that the statute applies to all credit card transactions, including those processed manually, electronically, or by other methods.

Businesses that collect customer information at the sales register should continue to closely follow this issue as this case, as well as the recent California Supreme Court decision in Pineda v. Williams-Sonoma Stores, Inc., may foretell lawsuits in other states with consumer protection statutes that are similar to those in Massachusetts and California.

A recent FTC settlement underscores that, in 2012, the FTC will continue to hold companies accountable for providing full disclosures about the extent to which their online services collect and transmit personal information. On January 5, 2012, the FTC announced a settlement with Upromise, Inc., a membership service that helps consumers save money for college, over charges that the company misled users about the extent to which it collected and shared their personal information through a “Personalized Offers” feature on a web browser toolbar, and then failed to properly secure the user information that it collected.

Upromise provides a service that allows users to contribute to a college savings account by collecting rebates that are acquired when users purchase goods and services from Upromise partner merchants. Upromise provided users with a web browser toolbar that highlighted Upromise’s partner merchants appearing in a user’s search results, thereby enabling users to more easily identify merchants that provide the college-savings rebates.

According to the FTC, when users enabled the “Personalized Offers” feature, the toolbar collected and transmitted the names of the websites visited by users, as well as information that users entered into those websites, including search terms, user names and passwords, and financial information. The Commission also alleged that users who downloaded the toolbar were told by Upromise that any personal information collected would be removed before it was transmitted, and that Upromise had security features in place to protect the personal information. The FTC claimed that Upromise’s alleged actions were unfair and deceptive and violated the FTC Act.

The FTC settlement bars Upromise from using its web browser toolbar to collect users’ personal information without clearly and conspicuously disclosing the extent of its data collection practices before users download the toolbar. Upromise also must destroy any personal information previously collected through the “Personalized Offers” feature, obtain consumers’ consent before installing or re-enabling its toolbar products, and notify users how to uninstall the toolbars currently residing on their computers. The settlement further bars Upromise from making material misrepresentations about the extent to which it protects the privacy and security of consumers’ personal information, and requires the company to establish a comprehensive information security program that includes biennial independent security audits for the next 20 years.